Email, web, ftp or whatever are all different, and each can be
controlled or supplied independently of the other. This means that
Jack in your office can have complete access to everything, Mary
gets only email, and poor Bill gets nothing at all.

You don't necessarily need a static ip address even if you want
to provide a web or ftp site.

You don't need Microsoft Exchange to use Outlook or Outlook
Express. These work quite happily with any POP or IMAP server.

You can have an internal email domain but host your web site
elsewhere. That means that mail for yourcompany.com can come
directly to your office, but that www.yourcompany.com is hosted
somewhere else. Web and mail are two different things and can be
separated.

You don't need (or even want) real ip addresses for each
machine in your office.

Connectivity

The first thing is to get connected. Your choices range from
dialup PPP to full T1's or even higher (assuming you had the money
and the need), but the typical small office probably will be using
DSL, Frame Relay or a partial T1. Cable access is also starting to
be seen.

At the lower ends of connectivity (DSL and Cable), the provider
almost almost always also deals in the home connectivity market and
therefore will provide some Windows based software, and that
software may also be capable of sharing multiple machines. I'm not
going to preach here why you don't want a business network relying
on something like that; we're just going to plunge ahead into
better options. However, I will note that (as usual) you probably
are going to have to deal with Windows-centric support folk.

When dealing with these providers, be sure they understand what
you want are what they are providing and not providing. If you want
a static IP address, be sure to say so, but also watch out that
they don't give you (and charge you for) real IP addresses for
every machine you have. If you are going to use a computer as a
router, you don't need them to provide a router (though sometimes
they will have to anyway just because it is part of their
connection). The same is true for firewall, NAT or proxy
software.

If you don't understand all of this after reading this and the
related articles, you probably should hire someone who does to deal
with all of this. You can waste a lot of money- I've seen many
$10,000-20,000 installations that could have been done for a tenth
of the cost.

Your Internal Network

You want to isolate your internal network from the Internet. The
internal machines will have access to the web, to email, to ftp or
to whatever you want to give them access to, but the big bad world
shouldn't have access to them. Of course, there may be some
machines or services that you do want the outside world to have
access to, but your starting position should be everything isolated
and closed off.

To achieve that isolation, the internal machines will use one of
the private, unassigned network ranges, such as 10.x.x.x or
192.168.x.x or 172.16.x.x (if you don't understand this, see
Networking 101 ). The advantage
of this is that such addresses are non-routable on the Internet, so
are effectively invisible and unusable- even if you connected a
machine with such an address directly to the Internet, it wouldn't
work, and that in itself is a large part of the isolation and
protection we want. We give these invisible machines access through
a gateway machine, a machine or router that has one address that is
in our internal, private network, and one address that is real, and
that real address is the connection to the internet. If we're using
a computer for that function, that computer will have two network
cards unless your internet connection is dialup.

Static or Dynamic IP

Your internet address (the external, real address) can be
constant, or it can be assigned by DHCP. The advantage to a static,
unchanging ip address is just that: it doesn't change. If you are
providing access from the outside world to your network, that's
very helpful. However, it's not absolutely necessary.

Most access to you isn't done by ip numbers anyway, it's done by
name. Somebody points their web browser at www.yourcompany.com, not
at 64.109.x.x or whatever. The actual ip address is looked up by
DNS (Domain Name Service). When you registered yourcompany.com,
somebody (probably your ISP) became responsible for providing that
address to machines that need it.

If the address is static, the ISP just typed in that number once
and then leaves it at that- your address never changes. However, if
you have a dynamic address, it can and will change every now and
then. Normally, you might keep the same address for days or even
longer- the DHCP software generally is designed and configured to
do that, but potentially you have the possibility of having your
address change at any time. If you want "mycompany.com" to point to
whatever address you have today, you need a Dynamic DNS Service to
be the ones responsible for your address lookup, and you need to
notify them (automatically, of course, through software) that your
address has changed so that they can update their tables. There are
all sorts of such services available, from free to not free; just
search the Web for Dynamic DNS Service and you'll find plenty to
choose from.

Either way, you now have the ability to offer services (web,
ftp, etc.) from your computers. The service could be on a computer
that has a real ip address, or it could actually be inside your
network on one of the machines with those invisible, private
addresses. How is that possible? Special software sitting on the
machine that does have the real address redirects packets inward to
the private address. This is an inward or reverse proxy function-
most routers have this capability also.

Firewall/Gateway/Router

This is what will provide the access and the NAT (Network
Address Translation) that will let the internal machines work
behind it. NAT is the software that translates an unroutable
internal address into a real, usable external address.

If you want to be very compulsive and technical, most of us
really use PAT (Port Address Translation) which is an overloaded
NAT. Folks who worry about such distinctions think of NAT as
providing a specific external address for each outgoing internal
address. That wouldn't necessarily mean that you would have just as
many external addresses as internal, but it would mean that the
number of concurrent uses would be limited by the number of
external addresses. With PAT, one external address is used for all
internal machinres- the software keeps track of what belongs to
what by using different port numbers in the packets.

A firewall also limits what can come in to your machine from
outside. The difficulty here is that you may actually want to
provide some services: you may want to run a web site, or allow
telnet or ftp access to your machine. That makes the firewall's job
more difficult: it's fairly easy to just lock everything up so
there is no access at all, but it's much more difficult to let the
good guys in while keeping the bad guys out.

As mentioned above, the services you provide could be located on
the firewall machine, or on a machine inside your network. They
could also be hosted on a machine outside the firewall- this is
often called a DMZ (Demilitarized Zone). Basically you have an
external network with real IP addresses and one of these is a
gateway/firewall to your internal network. More complicated
installations have multiple layers of firewalls.

You'll also hear the term "proxy server". Actually, NAT provides
a proxy service; proxy just means that somebody else is
representing you, and that's just what NAT does. However, when
people say "proxy server", they usually mean something different,
and they usually specifically mean a web browsing proxy server. The
difference is this: with NAT, you don't do anything special to
browse the web- just use your browser with your default gateway
pointing at the NAT machine and it works. However, if you have a
web proxy server, you need to tell your browser that you are using
it- that's a setting you make that points your browser to the proxy
(that may be done automatically by DHCP). Often, the proxy server
is also a cache server- it will cache frequently accessed pages to
improve performance. It may also offer filtering capabilities- the
ability to restrict access to certain pages or perhaps to grant or
deny access to certain users.

You don't necessarily need a proxy server to deny services to
certain users. Often the NAT sofware has basic filtering
capability, and you can also use software such as TCP Wrappers to control access.

Where is it?

That brings me to another area of confusion. People get confused
about web sites, email and ftp. They want to host their web site
externally, and get confused about email and how this all works.
The clue to understanding your options is DNS.

Whenever any access is made by name, the actual ip address gets
looked up in DNS. If you have a domain name, somebody, somewhere,
is responsible for knowing the addresses associated with that name.
You can find out who that somebody is by using "whois" or just with
"dig":

dig yourdomain.com any

The DNS keeps track of every host name you use
(www.yourdomain.com, ftp.yourdomain.com) and also tracks one more
very important address: the MX or Mail Exchange record. Each host
name can point to a different address: www.yourdomain.com and
ftp.yourdomain.com could be located thousands of miles apart, on
totally different machines. The MX record can also be different.
So, you might have your web site hosted by someone like Hostpro,
your FTP site somewhere else, and an MX record pointing directly to
a mail server at your place of business. You can also have multiple
names pointing to the same place: I have pcunix.com and
aplawrence.com but both domains go to the same places.

POP, IMAP, SMTP

SMTP means Simple Mail Transport Protocol- it's how email moves
across the Internet. Once email gets to your mail server, you'll
use POP or IMAP to get it to your Windows machine. Neither POP nor
IMAP deliver mail or are used to send mail- they are only what
moves the mail from the server to your machine. When you send mail
from a Windows machine, you aren't using POP or IMAP- you are
talking to an SMTP server. That may, of course, be running on the
same machine, but it could be different.

The major difference between POP and IMAP is that IMAP downloads
only header information until you actually want to read the
message. This is good for slow links: you don't waste time
downloading the body of a message you aren't going to read.

Sendmail is what sends mail OUT. If you have a domain name, and
have a SMTP server, you can have your MX (mail exchange) record
pointed to your server. In that case, sendmail (or something like
it) would handle incoming mail also.

If you don't (or even if you do), you might have a multidrop POP
mailbox somewhere. That's a mailbox where all your mail gets
collected. It's called multidrop because you can have any number of
names going to one place. In this case, you'd use something like
"fetchmail" on your server to bring the mail down and distribute
it.

What now?

You can build your own gateway and firewall using SCO or Linux-
the links at the beginning of this article cover the specific
details. You can also buy packaged solutions like the E-Smith
server also referenced above. For small offices, you can use
products like Multitech's Routefinder or
ProxyServer.

Or, you can go out and spend a ton of money on a high priced
Cisco router, an NT server with Exchange, and a Pix firewall. After
all, it's your money, and if you want to waste it, that's certainly
your choice.